The number of organizations that accept credit cards as payment, and the number of methods they utilize to accept those payments, has grown exponentially in the last several years. The number and complexity of services and systems to support those organizations has also proliferated at … Read more
While assessing one of the largest public sector enterprises recently, I asked for the routine maintenance reports and records for IT, Human Resource & Facility Administration. The auditee promptly dug out the files and presented the requisite records. While reviewing the records I noticed that … Read more
“Ask the QSA” Question: Is there a PCI Compliance certificate that we need to ask vendors for? Answer: There is no “certificate” for PCI compliance. You can ask for an AOC (Attestation of Compliance) which, properly completed, should assist you in knowing what PCI compliant services … Read more
2014 has been a year filled with news about breaches – big breaches – record breaking breaches. I have spent the majority of the year talking to many people about PCI DSS version 3.0 SAQs. I have spoken to Merchant Banks, Processors, small businesses, IT … Read more
“Ask the QSA” Question: My organization is an online service provider. Our customers are merchants (i.e., our customers are receiving the payment through our servers) and the credit card payment storage is done by a Level 1 PCI DSS Validated third party. Does my organization … Read more
Question: We are considering moving a server containing cardholder data to a hosted private cloud provider. Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance? What if they produce a report from an independent … Read more